JDY Botnet Resurges with 1,500+ SOHO and IoT Devices for State-Sponsored Reconnaissance
A China-linked botnet called JDY has expanded to compromise over 1,500 small office, home office, and IoT devices, operating as a centralised scanner for discovering and mapping exposed internet-facing services. This represents a significant reconnaissance infrastructure used by state-sponsored actors to identify targets at scale.
Affected
Lumen researchers have identified a resurgence of JDY, a botnet infrastructure attributed to China-linked state-sponsored threat actors. The botnet comprises over 1,500 compromised SOHO and IoT devices operating as a centralised, high-performance network scanner designed to discover, fingerprint, and continuously map exposed services at internet scale. This represents a shift in reconnaissance methodology: rather than relying on commercial scanners or single compromised hosts, the adversary has built distributed scanning capacity across hundreds of consumer-grade and embedded devices.
The technical architecture of JDY reflects mature operational tradecraft. Centralised control combined with distributed scanning provides significant advantages: traffic is dispersed across thousands of IP addresses, making detection and attribution difficult; scanning activity blends with normal device behaviour; and the infrastructure is resilient to takedowns of individual nodes. The use of SOHO and IoT devices is deliberate: these categories have poor patch rates, weak authentication, and are often ignored by enterprise security teams, making them ideal persistent platforms.
The reconnaissance mission itself signals preparation for broader attack campaigns. Continuous mapping of exposed services allows threat actors to maintain an up-to-date inventory of potential targets, their software versions, and network configurations. This feeds targeting decisions for subsequent exploitation, credential harvesting, or supply-chain compromises. The scale (1,500+ devices) indicates either a long-dormant infrastructure being reactivated or aggressive recent compromise activity.
Defenders should assume that SOHO and IoT devices on their network perimeters have been scanned and fingerprinted. Organisations must implement network segmentation to isolate these device categories, enforce firewall rules to block unexpected outbound scanning traffic, and monitor for command-and-control communications from compromised SOHO and IoT hosts. At a broader level, the resurgence of JDY reflects the enduring value of patient reconnaissance infrastructure to state-sponsored adversaries: investment in distributed scanning capability pays dividends across multiple campaigns and years.
The broader implication is that SOHO and IoT compromises, often dismissed as low-risk by enterprise teams, function as force multipliers for state-sponsored actors. Until organisations treat the security of these devices with the same rigour applied to servers and workstations, they will continue to serve as persistent reconnaissance platforms operated by sophisticated adversaries.
Sources